bitcoin core updated to 0.9.1 | Bitcointalksearch.org

binaryFate

legendary

Activity: 1512

Merit: 1012

Still wild and free

Quote from: Altoidnerd on April 11, 2014, 11:59:22 PM

Even if an attacker obtained my wallet.dat, if it is encrypted with a long password, is it safe to say the stolen wallet is, for the time being, useless to the attacker?

Yes it is useless to the attacker.
But in a worst case scenario with the hearbleed bug, however, if you just recently sent coin and therefore unlocked your wallet, the private keys might be in memory and leaked to the attacker. This is just theoretical, in practice probably very unlikely.

Altoidnerd

sr. member

Activity: 406

Merit: 251

http://altoidnerd.com

Even if an attacker obtained my wallet.dat, if it is encrypted with a long password, is it safe to say the stolen wallet is, for the time being, useless to the attacker?

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: Fixx on April 09, 2014, 12:31:58 PM

Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ?

Same place as all prior versions
https://en.bitcoin.it/wiki/Data_directory

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: Lethn on April 09, 2014, 04:57:10 AM

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

Final on any version of Bitcoin simply distinguished between that and the release candidate.

i.e. 0.9.0 RC1, 0.9.0 RC2, , 0.9.0 Final.

Version 0.9 is final it will never be updated. Case in point the next release was v0.9.1

bitcoinforhelp

full member

Activity: 154

Merit: 100

i won't change, i feel secure

, less secure would be changing them

Fixx

hero member

Activity: 535

Merit: 501

EMC

Were is Wallet.dat placed in Bitcoin 0.9.x ver for Windows x64 ?

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: Lethn on April 09, 2014, 04:57:10 AM

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?"

FINAL means the final 0.9.0. Any change that comes after that will go into 0.9.1.

binaryFate

legendary

Activity: 1512

Merit: 1012

Still wild and free

Quote from: awesomeami on April 09, 2014, 04:38:56 AM

Quote from: binaryFate on April 09, 2014, 03:33:03 AM

Good news that chrome and firefox are not affected.

Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".
ty - I am not much expert in that - maybe some link, ty

The vulnerability is in the openssl library, that may be used by your browser among other things. But apparently firefox is using a different module for SSL capabilities, and not the openssl implementation, so it is not affected.
If a server was using that particular weak version of the openssl library, then anybody could dump data from that server, but not the other way around.

This is on the level of "browser not technically affected", however on the level of "user being safe" as you mention, things are less good: if a server was vulnerable, then the attacker could maybe use the weakness to take further control of the server (or impersonate it using its certificate), putting you at risk when you are doing your usual activity with what you believe is the usual friendly https server you have always talk to...

S4VV4S

hero member

Activity: 1582

Merit: 502

So if someone DIDN'T click on a bitcoin link using 0.9.0 they are safe right?

roslinpl

legendary

Activity: 2212

Merit: 1199

Quote from: Lethn on April 09, 2014, 04:57:10 AM

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

this is true. And 0.9.0 not final at all

And perhaps there will be always some issue to solve ...
OpenSource.

Lethn

legendary

Activity: 1540

Merit: 1000

You know, I was looking at their 0.9.0 version of the Bitcoin client, it said FINAL in big capital letters and then I thought "What if they find a new bug or vulnerability in it, then it won't be the final version at all will it?" open source software will always be improved upon and always be updated because there are so many people looking at the code and finding things.

awesomeami

member

Activity: 98

Merit: 10

Quote from: binaryFate on April 09, 2014, 03:33:03 AM

Good news that chrome and firefox are not affected.

Can you pls explain how can I be/was safe using FF connecting to "compromised OpenSLL www".
ty - I am not much expert in that - maybe some link, ty

binaryFate

legendary

Activity: 1512

Merit: 1012

Still wild and free

Quote from: grue on April 08, 2014, 11:00:49 PM

oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link.

Quote from: awesomeami on April 08, 2014, 05:54:36 PM

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https

what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.

The memory of the browser is compromised, no need to type any password... it is enough if they are in the part of your RAM that can be dumped to the attacker. Same for session IDs.
Good news that chrome and firefox are not affected.

meawleir21

member

Activity: 84

Merit: 10

LOL this is just big! if it's vlad who found it then he got himself attention for sure...

grue

legendary

Activity: 2058

Merit: 1452

oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link.

Quote from: awesomeami on April 08, 2014, 05:54:36 PM

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https

what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe.

awesomeami

member

Activity: 98

Merit: 10

Quote from: DeathAndTaxes on April 08, 2014, 05:36:47 PM

Quote from: arcnorth on April 08, 2014, 05:33:07 PM

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case Sad

~~Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).~~ Forgot about the new payment protocol system. Great timing on that one.

Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded.

THIS!!

1. Just don't panic
2. Shutdown all bitcoin clients (better other ones, too - like multibit or armory)
3. upgrade
4. watch carefully for few days - better don't start
5. move to another wallet - https://bitcointalksearch.org/topic/m.6132778 just for sure
6. read more about here:
https://bitcointalksearch.org/topic/m.6133060

Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all httpS ...
(most paranoic - do it twice a day next 2 weeks - and don't forget them Tongue

)

roslinpl

legendary

Activity: 2212

Merit: 1199

Quote from: arcnorth on April 08, 2014, 05:33:07 PM

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case Sad

No worries too much. Problem is with Bitcoin-qt not with Multibit ...

And offline 3rd party wallets are not recommended to keep your BTCs - online wallets are to keep reasonable amounts not all of your holdings...

Just do not worry as you are multibit user.
Just make sure your computer is behind a firewall, your router is behind a firewall, you can install some additional fire wall, and antivirus, and spybot remover and just keep all safety steps in mind. E-mails, phishing web sites, etc.

regards.

Rampion

legendary

Activity: 1148

Merit: 1018

Quote from: DeathAndTaxes on April 08, 2014, 05:36:47 PM

Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).

FYI:

Quote from: theymos on April 08, 2014, 05:41:37 PM

If you are using the graphical version of 0.9.0 on any platform, you must update immediately. Download here. If you can't update immediately, shut down Bitcoin until you can. If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised. Carefully generate an entirely new wallet (not just a new address) and send all of your bitcoins there. Do not delete your old wallet.
- If you are using any other version of Bitcoin-Qt/Bitcoin Core, including bitcoind 0.9.0, you are vulnerable only if the rpcssl command-line option is set. If it is not, then no immediate action is required. If it is, and if an attacker could have possibly communicated with the RPC port, then you should consider your wallet to be compromised.

This vulnerability is caused by a critical bug in the OpenSSL library used by Bitcoin Core. Successfully attacking Bitcoin Core by means of this bug seems to be difficult in most cases, and it seems at this point that even successful attacks may be limited, but I recommend taking the above actions just in case.

If you are using a binary version of Bitcoin Core obtained from bitcoin.org or SourceForge, then updating your system's version of OpenSSL will not help. OpenSSL is packaged with the binary on all platforms.

Download 0.9.1
Announcement

Other software (including other wallet software) may also be affected by this bug. OpenSSL is extremely common.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: arcnorth on April 08, 2014, 05:33:07 PM

Just so we're clear, the bug only affects bitcoin-qt and not any other 3rd party wallet like multibit right?

I'm going to transfer all my bitcoin to an online account just in case Sad

~~Do you use SSL for remote RPC calls to your bitcoind daemon? No. Then it doesn't affect you even if you use Bitcoin-Core (the client formerly known as Bitcoin-QT).~~ Forgot about the new payment protocol system. Great timing on that one.

Switching to an online account would be foolish. Shutdown your client if you are worried. Don't statup it up again until you have upgraded.

Rampion

legendary

Activity: 1148

Merit: 1018

Quote from: arcnorth on April 08, 2014, 05:33:07 PM

I'm going to transfer all my bitcoin to an online account just in case Sad

I hope you are joking.

Topic: bitcoin core updated to 0.9.1 (Read 3505 times)